Subscribe
About

Govt licenses crypto vendors

By Leon Engelbrecht, ITWeb senior writer
Johannesburg, 19 Jun 2007

The Department of Communications has licensed about 16 cryptography services providers under the Electronic Communications and Transactions (ECT) Act. One licence was turned down after a vendor failed to pay a registration fee.

Communications minister Ivy Matsepe-Casaburri says the ECT Act created the register as a tool that can assist law enforcement agencies to perform their duties in fighting cybercrime.

"Information in the register can be used to and may lead to a successful tracing of a cryptography user, or can assist a law enforcement officer in obtaining a decryption court order in terms of the interception legislation [the Regulation of Interception of Communications Act]."

She added the register also contributes to the attainment of the Act`s objectives to promote legal certainty and confidence in respect of electronic communications and transactions.

"It also aims to develop a safe, secure and effective environment for the consumer, business and government to conduct and use electronic transactions, and to ensure that a national interest of the public [sic] is not compromised through the use of electronic communications."

Industry compliance

Matsepe-Casaburri`s department issued regulations in March last year, requiring all crypto vendors to register.

At the time, the call caused some confusion, as some of the definitions in the ECT Act and regulations were vague. The confusion was aggravated by the criminalisation of non-compliance: failure to register could lead to a fine or up to two years` imprisonment, and the department stated its intention to prosecute illegal providers.

The minister said she was pleased with the level of industry compliance and noted the department had a positive response from cryptography service providers, including the internationally based providers.

Matsepe-Casaburri also called on the registered vendors to form an industry association to ease liaison with her department. This found favour with some vendors, who said it would help them overcome the challenge of standards.

Authentication standard

VeriSign SA marketing assistant Kevin Brown says cryptography is key to authenticating Web sites. "However, there is no definitive standard on what we are meant to authenticate," he says.

"We`ve been in the market for 12 years, and when we started we set the bar very high with respect to authentication processes and we have obviously maintained the high bar. But from an industry perspective, as new players entered the markets, different authentication processes and procedures were introduced.

"Quicker authentication and more automated authentication obviously increase the risk to the end-user. When you log on to an Internet Explorer Web site, all you see is a little padlock. It does not give you much insight into which authentication process was used," he adds.

Brown says lax standards have seen some phishing Web sites display certificates, something that can only undermine public trust.

Related stories:
The importance of IT security
Counterpane is snapped up
Strategies for secure business
Cell user registration date withdrawn
The burden of cellphone registration
Electronic eavesdropping under stricter control
MPs remain firm on RICA cell deadline
Operators seek RICA deadline extension

Share